Routing between overlapping networks

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Routing between overlapping networks

L0 Member

Hello,

I want to replace our existing firewall with a PA-850. Thereby I have a problem, which I cannot get solved.

I have to route to an external network, which unfortunately uses the same subnet as ours.

Until now, I have used a small Linux VM, which uses DNAT to convert the addresses.

In principle the PA-850 should be able to do this with another virtual router and NAT rules. At least I hope so.

But I do not know exactly how to implement this.

 

The attached image should explain the problem:

problem.PNG

 

 

With kind regards

 

1 accepted solution

Accepted Solutions

Hello and thanks for your answer.

You have put me in the right direction.

Luckily we don't use the 192.168.0.0/24 range in our /16 subnet.
So I was able to solve the problem via NAT and route without another Linux VM.

But for the solution I needed another virtual router. I can' t bind the 192.168.99.1 interface to the default router because its subnet is already bound to the 192.168.100.15/16 interface.

The following picture should explain my solution:

solve.PNG

Thanks a lot!

View solution in original post

3 REPLIES 3

L2 Linker

Hi

Can you elaborate? I don't see any overlaps in diagram.

 

L2 Linker

The overlap that you have in the 192.168.0.0/16 network isn't something that can be fixed by using a second virtual router. The first routing lookup decision would work to force the 10.0.0.3 address to the correct zone. Once NAT is matched the second routing lookup will take place and then send the traffic to internal network.

 

If the 192.168.0.0/24 subnet is not used in your network, then you can just a NAT on the firewall and a route to send it to the next hop.

 

If you are using 192.168.0.0/24 in your network, then this could be resolved by using a second virtual system, but the PA-850 does not support multiple virtual systems. A minimum of PA-3200 is needed to get the multi-vsys feature.

 

If you can perform a source NAT on the traffic prior to it being received on the PA-850 (Linux VM with DNAT), then you would then use a PBF rule for the source of the Linux VM to the destination of the 192.168.0.3 server, to use the next hop of 192.168.99.252. The Linux VM just needs to be able to route that traffic to the PA-850 for that address/subnet.

Hello and thanks for your answer.

You have put me in the right direction.

Luckily we don't use the 192.168.0.0/24 range in our /16 subnet.
So I was able to solve the problem via NAT and route without another Linux VM.

But for the solution I needed another virtual router. I can' t bind the 192.168.99.1 interface to the default router because its subnet is already bound to the 192.168.100.15/16 interface.

The following picture should explain my solution:

solve.PNG

Thanks a lot!

  • 1 accepted solution
  • 4146 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!